Update security doc (#257)

Samsung · Oct 24, 2023 · 9158e76 · 9158e76
1 parent 79eb5c6
commit 9158e76
Show file tree

Hide file tree

Showing 2 changed files with 165 additions and 1 deletion.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -6,11 +6,15 @@
     2.1 [Supported Versions](#21-supported-versions)  
     2.2 [Vulnerability Report](#22-vulnerability-report)  
     2.3 [Security Disclosure](#23-security-disclosure)  
+3. [Security requrements](#3-security_requirements)
+4. [Security Software life cycle processes](#4-security-software-life-cycle-processes)
 
 ## 1. Introduction
 
 This document outlines the procedures for addressing vulnerabilities, the supported versions of LPVS, security requirements, and the recommended practices for developing secure code.
 
+---
+
 ## 2. Vulnerabilities
 
 ### 2.1 Supported Versions
@@ -46,4 +50,121 @@ We appreciate your collaboration in making LPVS more secure.
 
 If you have any further questions or concerns, please reach out to us.
 
-Note: This security policy is subject to change and may be updated without notice.
+Note: This security policy is subject to change and may be updated without notice.
+
+---
+
+## 3. Security requrements
+
+```plantuml
+@startuml
+
+left to right direction
+usecase "Security requirements"     #palegreen;line:black
+usecase Confidentiality     as Co   #lightblue;line:black
+usecase Integrity           as In   #lightblue;line:black
+usecase Availability        as Av   #lightblue;line:black
+usecase "Access control"    as Ac   #lightblue;line:black
+usecase Identification              #lightblue;line:black
+usecase Authentication              #lightblue;line:black
+usecase Authorization               #lightblue;line:black
+usecase Non                         #lightblue;line:black as "Non-public data 
+    is kept confidential"
+usecase "User privacy maintaned"    #lightblue;line:black
+usecase "All data is confidential"  #lightblue;line:black
+usecase "HTTPS: data in motion"     #lightblue;line:black
+usecase "Authorization via GITHUB"  #lightblue;line:black
+usecase Dtm                         #lightblue;line:black as "Data modification
+    requires authorization"
+usecase "Multiple backups"          #lightblue;line:black
+usecase "Rerstore after DDoS"       #lightblue;line:black
+
+
+(Security requirements) <-- (Co)    #line:black;line.bold
+(Security requirements) <-- (In)    #line:black;line.bold
+(Security requirements) <-- (Av)    #line:black;line.bold
+(Security requirements) <-- (Ac)    #line:black;line.bold
+
+(Ac) <-- (Identification)           #line:black
+(Ac) <-- (Authentication)           #line:black
+(Ac) <-- (Authorization)            #line:black
+(Co) <-- (User privacy maintaned)   #line:black
+(Co) <-- (Non)                      #line:black
+(Co) <-- (All data is confidential) #line:black
+(Co) <-- (HTTPS: data in motion)    #line:black
+(In) <-- (HTTPS: data in motion)    #line:black
+(In) <-- (Authorization via GITHUB) #line:black
+(In) <-- (Dtm)                      #line:black
+(Av) <-- (Multiple backups)         #line:black
+(Av) <-- (Rerstore after DDoS)      #line:black
+
+@enduml
+```
+
+---
+
+## 4. Security Software life cycle processes
+```plantuml
+@startuml
+
+left to right direction
+usecase SSLCP           #palegreen;line:black   as  "Security Software
+    life cycle processes"
+usecase "Certification & Controls"      as CC       #lightblue;line:black
+usecase CBPB            #lightblue;line:black   as  "CII Best 
+    Practices badge"
+usecase "OpenSSF Score Card"            as OSSFSC   #lightblue;line:black
+usecase "Security in maintenance"       as SM       #lightblue;line:black
+usecase ADPV            #lightblue;line:black   as  "Auto-detect publicy
+    vulnerabilities"
+usecase "Rapid update"                  as RU       #lightblue;line:black
+usecase KDKDSS          #lightblue;line:black   as  "Key developers know how to
+    develop secure software"
+usecase "Infrastructure management"     as IM       #lightblue;line:black
+usecase DTEPA           #lightblue;line:black   as  "Development & test
+    environments protected
+    from attack"
+usecase CIATEP          #lightblue;line:black   as  "CI automated test
+    environment does not have
+    protected data"
+usecase SIV             #lightblue;line:black   as  "Security in integration
+    & verification"
+usecase "Style checking tools"          as SCT      #lightblue;line:black
+usecase SCWA            #lightblue;line:black   as  "Source code
+    weakness analyzer"
+usecase FLOSS           #lightblue;line:black
+usecase "Negative Testing"              as NT       #lightblue;line:black
+usecase UTC             #lightblue;line:black   as  "Unit Test
+    coverage >75%"
+usecase "Security in design"            as SD       #lightblue;line:black
+usecase "Simple design"                 as SID      #lightblue;line:black
+usecase "Memory-safe languages"         as MSL      #lightblue;line:black
+usecase SDISS           #lightblue;line:black   as  "Secure disign
+    includes S&S"
+
+
+(SSLCP) <-- (CC)                    #line:black;line.bold
+(SSLCP) <-- (SM)                    #line:black;line.bold
+(SSLCP) <-- (KDKDSS)                #line:black;line.bold
+(SSLCP) <-- (SIV)                   #line:black;line.bold
+(SSLCP) <-- (IM)                    #line:black;line.bold
+(SSLCP) <-- (SD)                    #line:black;line.bold
+
+(CC)    <-- (CBPB)                  #line:black
+(CC)    <-- (OSSFSC)                #line:black
+(SM)    <-- (ADPV)                  #line:black
+(SM)    <-- (RU)                    #line:black
+(IM)    <-- (DTEPA)                 #line:black
+(IM)    <-- (CIATEP)                #line:black
+(SIV)   <-- (SCT)                   #line:black
+(SIV)   <-- (SCWA)                  #line:black
+(SIV)   <-- (FLOSS)                 #line:black
+(SIV)   <-- (NT)                    #line:black
+(SIV)   <-- (UTC)                   #line:black
+(SD)    <-- (SID)                   #line:black
+(SD)    <-- (MSL)                   #line:black
+(SD)    <-- (SDISS)                 #line:black
+
+@enduml
+```
+---
diff --git a/.github/workflows/CODE_OF_CONDUCT.md b/.github/workflows/CODE_OF_CONDUCT.md
@@ -0,0 +1,43 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at _[email protected]_. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.4, available at [http://contributor-covenant.org/version/1/4](http://contributor-covenant.org/version/1/4/)